Chatroulette plays Russian roulette with your privacy

Security holes in the popular video chat service could reveal your identity and allow strangers to scam you.

ITworld|July 15, 2010

Hate to break this to all those video chat fans out there, but Chatroulette isn't nearly as safe and anonymous as it appears.

The free video chat service became instantly famous for its serendipitous pairing of complete strangers via video chat, as well as for the percentage of men displaying their god-given talents in varying degrees of excitement.

Researchers from the University of Colorado and McGill University have published a study showing that Chatroulette sessions are not nearly as anonymous as they might appear. They also demonstrated how easy it is to con other CR users via canned video.

If you've never used Chatroulette, the rules are pretty simple. Turn on your Web cam, log in to the site, and wait for a random video to appear in the window above yours. Then wait for the first guy to flash you. (I logged on this morning and got a porksword in less than 1.5 seconds -- a new record.) Don't like what you're seeing? Hit the Next button and try again.

The kielbasa factor probably wasn't what 17-year-old Andrey Ternovskiy had in mind when he created Chatroulette, but it's what he got. Leave it to the InterWebs to drag everything into the gutter. It's gotten so bad Ternivskiy is reportedly working on a 'sausage filter' to block the pervs.

"Because Chatroulette's back-end system shares user IP addresses, researchers were able to use IP-mapping services to get a general idea of user's location .... Then by searching Facebook using information obtained in chats and comparing pictures, researchers were able to identify chatters.

"Even in a city as big as Chicago, you can drill down and find the person you're actually talking to," [study co-author Richard] Han said."

In fact, a cool/creepy Web site called ChatRouletteMap does something very similar, using IP address information and Google Maps to display who's chatting and where they live, down to almost their street address. It doesn't update in real time though, so someone's unlikely to come knocking at your door in the middle of a chat session.

It gets worse. The researchers were able to fool individuals into thinking they were viewing video of a live person when in fact it was a recording. In other words, a scam artist who wanted to target you could spoof his or her identity to gain your interest and/or trust.

They also said it would be easy to write software that could intercept communications from both video chatters without either of them knowing about it -- the classic "man in the middle" attack.

What bad things could possibly happen from all this? Well, if you're out there flashing your ham on the Net, or just getting a little too cozy with a stranger who isn't your spouse, you could end up publicly humiliated, blackmailed, or divorced. If you're chatting with a stranger who's pretending to be someone they're not, they could socially engineer you out of valuable information (like your home address or birth date) or lure you to Web sites where your computer is infected with malware. You know, the usual Web scams, only this time it's up close and personal.

The lessons to be gleaned from this: Just because you're not giving out your name doesn't mean you're anonymous. Your IP address won't nail your exact location the way a GPS device can, but it can come uncomfortably close -- and that information is available to every Web site you visit. Video chat is the next frontier for Web scams. And if you must talk to strangers via Chatroulette, try to keep your pants on, OK?